Cisco's Talos Group releases decryptor for TeslaCrypt

Today Cisco's Talos Group posted an analysis of the TeslaCrypt ransomware along with a tool that may allow you to decrypt your files for free. Their findings indicate that the keys necessary to decrypt your files are in fact stored in the key.dat file created by TeslaCrypt. These keys, though, are shifted in a way that they are unable to be used without first restoring them to their original format. Unfortunately, depending on the version of TeslaCrypt that was installed, the master key may be stripped from the key.dat file and thus making free decryption currently not possible. Andrea Allievi, one of the researchers in this article is hoping that it may be possible to recover this master key in the future.
 

To try and retrieve your master key and decrypt your files, you will need to download Cisco's TeslaDecrypt tool and run it. TeslaDecrypt will search your hard drive for the key.dat file and try to recover the master key. If it is able to do so, it will prompt if you wish to decrypt the whole computer or a specific folder. Unfortunately, some versions of TeslaCrypt strip the master key from the key.dat file and this tool will not be able to help you.
 

The researchers in the Cisco Talos Group are hoping to create an algorithm to retrieve this master key in the future.

Update 4/28/15: If TeslaDecrypt cannot find a key.dat file, search your hard drive and if the file can be found move it to the same folder as TeslaDecrypt and try again.

Unfortunately, as is often the case, the disclosure of flaws in ransomware programs will ultimately lead to the malware developer creating a new version that fixes it. For those who are infected, though, now is your chance to try and get your files back.

Well, at least they released a fix (unlike the incident with CryptoDefense...)

From the fact that some version of TeslaCrypt strips the master key off the file, I'd say that the author is already aware of the flaw and attempted to patch it already.

Thanks for the info Grinler!

I currently have a user infected with this ransomware. I will ask him to run this.

Regards,
Valinorum

I was able to copy the key.dat file from an infected system, but when I try and run the program, I get the message "I was not able to import the TeslaCrypt Master key!". Is that an incompatible key.dat file or corrupt? Is there some way to submit it to use it towards finding a more complete decryption?

Kudos to Andrea for some excellent work here!

 

Our infection was one in which the key had already been stripped from the key.dat file.  Perhaps one day, the algorithm may be learned.  In the meantime, Congratulations to those involved in producing the Tesla Decrypter.

Sadly our infection also had the key pre-stripped.

Great effort here though.

Hopefully the algorithm targeting the recovery key is possible in the near future!

Added an update to the first post:

Update 4/28/15: If TeslaDecrypt cannot find a key.dat file, search your hard drive and if the file can be found move it to the same folder as TeslaDecrypt and try again.

Sorry, new at this, can you describe how to search for the key.dat file on the hard drive?  Thanks!

Sorry, new at this, can you describe how to search for the key.dat file on the hard drive?  Thanks!

What version of windows are you using?

I believe Windows 8, it's on wife's computer which is unfortunately at home but it has apps and tiles. 

I believe Windows 8, it's on wife's computer which is unfortunately at home but it has apps and tiles.

Go to the Windows 8 start scree (that screen with all of the tiles) and just type C: and then press enter. THe start screen should go away and you will see the Windows desktop and C: drive open like below.

In the search field, indicated by the arrow in the image above, type key.dat and press enter. Windows will start search for the file. This will take a while so be patient. When its done you will see the where key.dat is located. An example of what it looks like on my computer is:

Thank you, I will give it a try!

Thank you, solved!

Found the key.dat file but alas no master key.  I will hope for a further solution, thanks again for your assistance.

HI All,

What computer-kicking malware/virus!

OK, I surfed and loaded the teslacrypt....the keyday file was found. the decryptor is running on my workstation as I type.

I'll follow up with results.

 

This is the toughest malware/virus I've had to deal with. My thanks to the 1000 lb brains at Talos!